What is BAA and Why Should HIPAA Protected Industries Care

Does it feel like you’re dealing with nothing but alphabet soup when it comes to your healthcare business? Or do your healthcare clients not bother to keep up with the laws that affect their business? It’s true that there are a lot of legal requirements that the healthcare industry must comply with to avoid trouble down the line. One of these requirements is the BAA, or Business Associate Agreement. It’s a federal law that defines liability, how information is shared, and how partnered businesses should work together when dealing with patient information.

Who Is a Business Associate?

The U.S. Department of Health and Human Services defines a business associate as an individual or entity (business) that does certain tasks or functions that require access to private health information, or PHI. This definition typically covers insurance companies, service providers, equipment suppliers, and health care clearinghouses. Anyone who has to access PHI and who is not an employee or partner in the business falls under the definition of BAA. Such entities are subject to this law governing the protection of sensitive information.

Who Signs a BAA Contract?

Anyone who is a business partner of a healthcare operation has to sign a BAA. This is usually done by checking off a box online or by presenting a physical copy of the agreement for a responsible party to sign. After the BAA has been signed, all involved parties must adhere to the requirements of the law and protect PHI.

The law governing electronic health records, or EHR, requires health care providers to store patient records electronically. Not all operations have the ability to keep a server room on site to store the data; some go off site instead, using cloud services offered by companies such as Google and Dropbox for file storage. However, it’s important to make sure that the service you’re using is BAA-compliant. Cloud service providers don’t apply the same security protocols across all products, which means the consumer-level product won’t adhere to the requirements of the BAA. These companies do offer services that are targeted toward HIPAA/BAA compliance, however, and healthcare customers should request those instead.

Who’s Responsible for What?

Under the BAA, both parties share equal responsibility for PHI. That is, the third party must keep records under strict confidentiality and control to prevent unauthorized access, but only when the third party requires full access to the information. Full access means the third party can view the patient’s personal information along with his or her health records. In the event that a third party does not need full PHI, it does not need to sign a BAA. The office staff strips out identifying information first, then sends the files to the third party.

It’s important to review all third-party interactions to determine whether they fall under BAA. This may take some time, but it’s beneficial in the long run. Protecting patient information is priority number one for any healthcare operation, and it’s better to trust but verify rather than simply trust.